1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
|
To get all the syscalls, grab all the linux-libc-dev packages for all the
architectures (eg, amd64, arm64, armhf, i386, powerpc, ppc64el) and put then
in a directory. Then:
mkdir extracted
for i in ./*deb ; do
dpkg-deb -x $i ./extracted
done
for i in `find . -name "unistd*.h"|grep gnu` ; do egrep '^#define .*_NR_([a-z0-9_\-]*)' $i | awk '{print $2}' | sed 's/.*_NR_//' ; done|sort -u
NOTE: syscall() isn't actually a syscall, it is a glibc wrapping to reference
a syscall by number (therefore, it should be omitted from filter policy). ARM
OABI did define this, but it has been obsoleted in EABI.
For example, on Ubuntu 16.04 with the 4.4.0-16.32 Linux kernel, these are the
syscalls:
accept
accept4
access
acct
add_key
adjtimex
afs_syscall
alarm
arch_prctl
arm_fadvise64_64
arm_sync_file_range
bdflush
bind
bpf
break
breakpoint
brk
cacheflush
capget
capset
chdir
chmod
chown
chown32
chroot
clock_adjtime
clock_getres
clock_gettime
clock_nanosleep
clock_settime
clone
close
connect
creat
create_module
delete_module
dup
dup2
dup3
epoll_create
epoll_create1
epoll_ctl
epoll_ctl_old
epoll_pwait
epoll_wait
epoll_wait_old
eventfd
eventfd2
execve
execveat
exit
exit_group
faccessat
fadvise64
fadvise64_64
fallocate
fanotify_init
fanotify_mark
fchdir
fchmod
fchmodat
fchown
fchown32
fchownat
fcntl
fcntl64
fdatasync
fgetxattr
finit_module
flistxattr
flock
fork
fremovexattr
fsetxattr
fstat
fstat64
fstatat64
fstatfs
fstatfs64
fsync
ftime
ftruncate
ftruncate64
futex
futimesat
getcpu
getcwd
getdents
getdents64
getegid
getegid32
geteuid
geteuid32
getgid
getgid32
getgroups
getgroups32
getitimer
get_kernel_syms
get_mempolicy
getpeername
getpgid
getpgrp
getpid
getpmsg
getppid
getpriority
getrandom
getresgid
getresgid32
getresuid
getresuid32
getrlimit
get_robust_list
getrusage
getsid
getsockname
getsockopt
get_thread_area
gettid
gettimeofday
getuid
getuid32
getxattr
gtty
idle
init_module
inotify_add_watch
inotify_init
inotify_init1
inotify_rm_watch
io_cancel
ioctl
io_destroy
io_getevents
ioperm
iopl
ioprio_get
ioprio_set
io_setup
io_submit
ipc
kcmp
kexec_file_load
kexec_load
keyctl
kill
lchown
lchown32
lgetxattr
link
linkat
listen
listxattr
llistxattr
_llseek
lock
lookup_dcookie
lremovexattr
lseek
lsetxattr
lstat
lstat64
madvise
mbind
membarrier
memfd_create
migrate_pages
mincore
mkdir
mkdirat
mknod
mknodat
mlock
mlock2
mlockall
mmap
mmap2
modify_ldt
mount
move_pages
mprotect
mpx
mq_getsetattr
mq_notify
mq_open
mq_timedreceive
mq_timedsend
mq_unlink
mremap
msgctl
msgget
msgrcv
msgsnd
msync
multiplexer
munlock
munlockall
munmap
name_to_handle_at
nanosleep
newfstatat
_newselect
nfsservctl
nice
oldfstat
oldlstat
oldolduname
oldstat
olduname
open
openat
open_by_handle_at
pause
pciconfig_iobase
pciconfig_read
pciconfig_write
perf_event_open
personality
pipe
pipe2
pivot_root
poll
ppoll
prctl
pread64
preadv
prlimit64
process_vm_readv
process_vm_writev
prof
profil
pselect6
ptrace
putpmsg
pwrite64
pwritev
query_module
quotactl
read
readahead
readdir
readlink
readlinkat
readv
reboot
recv
recvfrom
recvmmsg
recvmsg
remap_file_pages
removexattr
rename
renameat
renameat2
request_key
restart_syscall
rmdir
rtas
rt_sigaction
rt_sigpending
rt_sigprocmask
rt_sigqueueinfo
rt_sigreturn
rt_sigsuspend
rt_sigtimedwait
rt_tgsigqueueinfo
s390_pci_mmio_read
s390_pci_mmio_write
s390_runtime_instr
sched_getaffinity
sched_getattr
sched_getparam
sched_get_priority_max
sched_get_priority_min
sched_getscheduler
sched_rr_get_interval
sched_setaffinity
sched_setattr
sched_setparam
sched_setscheduler
sched_yield
seccomp
security
select
semctl
semget
semop
semtimedop
send
sendfile
sendfile64
sendmmsg
sendmsg
sendto
setdomainname
setfsgid
setfsgid32
setfsuid
setfsuid32
setgid
setgid32
setgroups
setgroups32
sethostname
setitimer
set_mempolicy
setns
setpgid
setpriority
setregid
setregid32
setresgid
setresgid32
setresuid
setresuid32
setreuid
setreuid32
setrlimit
set_robust_list
setsid
setsockopt
set_thread_area
set_tid_address
settimeofday
set_tls
setuid
setuid32
setxattr
sgetmask
shmat
shmctl
shmdt
shmget
shutdown
sigaction
sigaltstack
signal
signalfd
signalfd4
sigpending
sigprocmask
sigreturn
sigsuspend
socket
socketcall
socketpair
splice
spu_create
spu_run
ssetmask
stat
stat64
statfs
statfs64
stime
stty
subpage_prot
swapcontext
swapoff
swapon
switch_endian
symlink
symlinkat
sync
sync_file_range
sync_file_range2
syncfs
syscall
_sysctl
sys_debug_setcontext
sysfs
sysinfo
syslog
tee
tgkill
time
timer_create
timer_delete
timerfd
timerfd_create
timerfd_gettime
timerfd_settime
timer_getoverrun
timer_gettime
timer_settime
times
tkill
truncate
truncate64
tuxcall
ugetrlimit
ulimit
umask
umount
umount2
uname
unlink
unlinkat
unshare
uselib
userfaultfd
usr26
usr32
ustat
utime
utimensat
utimes
vfork
vhangup
vm86
vm86old
vmsplice
vserver
wait4
waitid
waitpid
write
writev
|
